innerHTML and security

@alexalexOct 23.2011

Hello!
I have a textbox in which users can enter some text.
And after entering this text I show it for them with help of innerHTML.
( befor it – I replace smiles with <img> tag )
I’v tried to enter some JavaScript there, and have found that it is not working.
The question is how safe is that?

to post a comment

JavaScript

8 Comments(s) _↴

@JunkMaleOct 23.2011 — #English not your first?

Try posting your code for the page you are having a problem with and people might be able to help you.

@savvykmsOct 23.2011 — #Encode your HTML special characters to be entities and output using innerText or innerHTML, depending on your smiley replacement feature's existance.

@alexalexauthorOct 24.2011 — #English is not even my second ))

Here are pieces of my code:

In HTML

<textarea name="txtMessage" rows="2" cols="20" id="txtMessage" onkeypress="return showPreview(event)" style="height:300px;width:500px;">

</textarea>

<div id="divPreview" style="clear:both;width:550">

</div>

in JavaScript:

function showPreview(){

 preview = document.getElementById('divPreview');
   texxt = "";
   if (document.all) {
   texxt = document.getElementById('txtMessage').innerText;
   }
   else {
   texxt = document.getElementById('txtMessage').value;
   }
 
   if (texxt.length > (500 - 1))  return false;
 
   texxt = texxt.replace(/:)/g, "<img src='emotions/smile.gif'>");
   texxt = texxt.replace(/:(/g, "<img src='emotions/sad.gif'>");
   texxt = texxt.replace(/n/g, "<br />");

document.getElementById('divPreview').innerHTML = "<p>" + texxt + "</p>";

}

@alexalexauthorOct 24.2011 — #Have found on some forum such a recomendation:

function encodeHTML(s) {

return s.replace(/&/g, '&').replace(/</g, '<').replace(/"/g, '"');

}

somediv.innerHTML= '<p>Hello, '+encodeHTML(name)+'</p>';

And on another forum get the thought that on client side it is not dangerous...

@JunkMaleOct 24.2011 — #Security wise...

If your allowing special characters and your having that data presented to a server, it does pose a risk. Various "Injection" methods exist to "Break" forms and server side scripts to allow the hacking of a site and reveal its inner workings.

So it all depends on what you are proposing to do with the input data. and if that form is to be submitted to a server.

@alexalexauthorOct 24.2011 — #Before submitting to database it will be encoded to text.

So, - the question is only about client side and innerHTML.

@rnd_meOct 24.2011 — #Before submitting to database it will be encoded to text.

So, - the question is only about client side and innerHTML.[/QUOTE]

how would allowing js to run on the client page hurt anything?

it's not like the only way i can execute code on your site is via an exploit.

greasemonkey, bookmarklets, firebug, et al all allow ez script execution.

let the users put what they want on THEIR page, but be safe about what YOU put in the DB.

the key is that you never show one user another user's input. that's pretty universal for most things client/server...

@JunkMaleOct 25.2011 — #English is not even my second[/QUOTE]

Níl mianach.

Also in #JavaScript _↴

unique identifier for HTMLElement that works across browsers?iframe from submits to new page Proper syntax for adding methods to objects

Success!

Help @alexalex spread the word by sharing this article on Twitter...

Tweet This

about: ({
version: 0.1.9 — BETA 5.4,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});

changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...

recent_tips: (
tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,

tipper: @Samric24,
tipped: article
amount: 1000 SATS,
)...

innerHTML and security

8 Comments(s) _↴

Also in #JavaScript _↴

Success!

Social

Version

innerHTML and security

8 Comments(s) ↴

Also in #JavaScript ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

8 Comments(s) _↴

Also in #JavaScript _↴